Thursday, April 9, 2009

Conficker Gets New Update via P2P

Trend Micro malware analysts have noticed an update being pushed to computers infected with Conficker, through the worm's peer-to-peer communication protocol. The new component features a self-destruct mechanism and points to a connection with the Waledac family of malware.

The analysis was slow-paced, because the file featured heavy obfuscation. According to researchers, the new component was downloaded via peer-2-peer from a server located in Korea, known to be a Conficker IP node.

Being detected as WORM_DOWNAD.E by Trend, this update installs a new service under a random name and drops a corresponding randomly named executable file. The temporary update file is removed afterwards. The component will start propagating to other computers via the same MS08-067, but it is set to stop doing it on May 3, for yet unknown reasons. It also acts as an HTTP server, broadcasting on port 5114.

The worm will connect to several websites including MySpance, MSN, eBay, CNN and AOL, most likely in order to determine if an Internet connectivity is present. However, those domains are not at risk of being flooded with requests, because this update is not being pushed to all Conficker-infected machines at once.